← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 92/100

United States Releases National Cybersecurity Strategy — March 2, 2023

The US National Cybersecurity Strategy released March 2023 shifted responsibility toward software vendors and critical infrastructure operators. Secure-by-design principles, software liability discussions, and critical infrastructure protection shaped subsequent regulatory initiatives.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

The Biden-Harris Administration released the National Cybersecurity Strategy on , articulating five pillars that seek to (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships. The strategy calls for minimum cybersecurity requirements across critical sectors, secure-by-design software, zero trust adoption throughout the federal enterprise, and coordinated action with allies. CISOs and board leaders should align roadmaps with the strategy’s setup objectives and prepare for upcoming regulatory and funding initiatives.

Pillar 1 — Defend critical infrastructure

The strategy directs sector risk management agencies (SRMAs) to develop and enforce cybersecurity performance goals, harmonize regulations, and support modernization of legacy systems. The Cybersecurity and Infrastructure Security Agency (CISA) published cross-sector cybersecurity performance goals (CPGs) to guide baseline controls, and agencies will convert voluntary measures into enforceable requirements where appropriate. Priority actions include implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), expanding Transportation Security Administration (TSA) directives, and using grant programs to uplift state and local defenses.

Pillar 2 — Disrupt and dismantle threat actors

The administration commits to integrating diplomatic, military, intelligence, and law enforcement tools to impose costs on malicious actors. Initiatives include sustained counter-ransomware operations, improved information sharing with cloud and infrastructure providers, and coordinated takedowns with international partners. The strategy highlights the Joint Cyber Defense Collaborative (JCDC) as a mechanism to share real-time telemetry, while encouraging public-private operations to seize infrastructure and recover ransomware payments.

Pillar 3 — Shape market forces to drive security and resilience

The strategy proposes shifting liability for insecure software onto vendors and promoting secure development practices through procurement incentives. The administration plans to work with Congress on legislation establishing a higher standard of care for software providers and exploring a safe harbor for teams that follow secure development frameworks. Federal acquisition rules will prioritize software bills of materials (SBOMs), memory-safe languages, and secure-by-design attestations. The strategy also emphasizes expanding cyber insurance coverage tied to strong risk management.

Pillar 4 — Invest in a resilient future

Investments will target research and development in post-quantum cryptography, secure semiconductors, clean energy infrastructure, and cybersecurity workforce pipelines. The strategy aligns with CHIPS and Science Act funding, National Science Foundation cyber training programs, and the National AI Research Resource. Agencies will modernize legacy IT, deploy zero trust architectures following OMB Memorandum M-22-09, and improve data sharing for national security missions.

Pillar 5 — Forge international partnerships

The U.S. will deepen cybersecurity cooperation through NATO, the Quad, the International Counter Ransomware Initiative, and regional partnerships. Objectives include promoting responsible state behavior in cyberspace, aligning on secure-by-design standards, supporting capacity-building in developing nations, and enhancing collective response to incidents.

Implementation roadmap for enterprises

  1. Assess regulatory impact: Map the strategy to pending rulemakings (SEC cyber disclosures, CIRCIA, updated TSA security directives, Federal Trade Commission actions). Establish policy monitoring teams and prepare comment strategies.
  2. Enhance critical infrastructure controls: Align security programs with CISA CPGs, NIST Cybersecurity Framework 2.0, and sector-specific guidelines (NERC CIP, HIPAA, FFIEC). Document compliance evidence for regulators and insurers.
  3. Adopt secure-by-design practices: Implement NIST Secure Software Development Framework (SSDF), supply-chain risk management, and memory-safe coding initiatives. Produce SBOMs and vulnerability disclosure programs to meet federal procurement expectations.
  4. Accelerate zero trust: Execute identity governance, network segmentation, encryption, and continuous monitoring initiatives consistent with OMB M-22-09 and CISA Zero Trust Maturity Model. Measure progress against federal baselines even for private-sector teams.
  5. Strengthen incident response partnerships: Participate in Information Sharing and Analysis Centers (ISACs), JCDC initiatives, and regional cyber exercises. Develop mutual aid agreements and escalation protocols for federal coordination.

Sector-specific guidance

Energy and utilities: Prepare for expanded mandatory reliability standards and supply-chain risk rules (NERC CIP-013). Invest in operational technology (OT) segmentation, anomaly detection, and incident reporting alignment with CIRCIA.
Healthcare: Align with HHS 405(d) practices, implement multifactor authentication, and prepare for potential minimum security requirements tied to Medicare reimbursement.
Financial services: Coordinate with Treasury’s Financial Stability Oversight Council initiatives, operational resilience frameworks, and upcoming SEC cyber disclosure rules. Integrate cyber metrics into capital planning and Model Risk Management.
Technology and software: Evaluate liability exposure, transition to secure-by-design methodologies, and prepare attestations for federal procurement. Expand bug bounty programs and adopt memory-safe languages.

Measurement and reporting

Establish metrics linked to the five pillars: percentage of critical systems aligned with CISA CPGs, mean time to detect/respond to incidents, secure development lifecycle adherence, SBOM coverage, zero trust maturity scores, joint operations participation, and international collaboration engagements. Present metrics to boards alongside business risk indicators. Include cyber resilience objectives in ESG reporting and sustainability disclosures.

Workforce and talent considerations

The strategy highlights the need for a diverse cyber workforce. Teams should invest in apprenticeships, reskilling programs, and partnerships with community colleges. Adopt NICE Framework-aligned role definitions and career pathways. Implement retention incentives, remote work policies, and wellbeing programs to reduce burnout. Coordinate with federal workforce initiatives to tap grant funding and talent exchanges.

International alignment and supply-chain security

Global enterprises should harmonize compliance with allied strategies such as the EU Cybersecurity Act, UK Cyber Essentials, and Australia’s 2023-2030 cybersecurity strategy. Strengthen supplier assurance through continuous monitoring, third-party risk assessments, and contractual clauses requiring secure development and incident reporting. Use collective defense arrangements to share threat intelligence across borders.

Preparing for secure software liability reforms

Legal teams should evaluate potential legislative proposals shifting liability for insecure products. Develop product safety cases documenting secure development, vulnerability management, and customer support processes. Maintain records of coordinated vulnerability disclosure (CVD) activities and patch timelines to show due diligence. Engage industry associations to influence policy development.

Cited sources

This brief helps enterprises translate the National Cybersecurity Strategy into actionable programs spanning zero trust, secure-by-design development, and regulatory readiness.

Security Monitoring and Response

If you are affected, implement continuous monitoring mechanisms to detect and respond to security incidents related to this vulnerability or threat. Security operations centers should update detection rules, threat hunting hypotheses, and incident response procedures to address the specific attack patterns and indicators associated with this development. Regular testing of detection and response capabilities ensures readiness to handle related security events.

Post-incident analysis should document lessons learned and drive improvements to preventive and detective controls. Information sharing with industry peers and sector-specific information sharing organizations contributes to collective defense against common threats.

See also

Selected articles on related subjects.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
92/100 — high confidence
Topics
U.S. cybersecurity strategy · Critical infrastructure · Zero trust · Secure software
Sources cited
4 sources (hitehouse.gov, cisa.gov)
Reading time
5 min

Cited sources

  1. National Cybersecurity Strategy (2023) — White House
  2. Fact Sheet — Biden-Harris Administration’s National Cybersecurity Strategy — White House
  3. CISA Cross-Sector Cybersecurity Performance Goals — Cybersecurity and Infrastructure Security Agency
  4. OMB Memorandum M-22-09 — Moving the U.S. Government Toward Zero Trust — Office of Management and Budget
  • U.S. cybersecurity strategy
  • Critical infrastructure
  • Zero trust
  • Secure software
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.